UCAM-CL-TR-909 Technical Report ISSN 1476-2986 Number 909 Computer Laboratory Exploring new attack vectors for the exploitation of smartphones Laurent Simon July 2017 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ c 2017 Laurent Simon This technical report is based on a dissertation submitted April 2016 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Homerton College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/techreports/ ISSN 1476-2986 Summary Smartphones have evolved from simple candy-bar devices into powerful miniature computing platforms. Today’s smartphones are complex multi-tenant platforms: users, OS providers, manufacturers, carriers, and app developers have to co-exist on a single device. As with other computing platforms, smartphone security research has dedicated a lot of effort, first, into the detection and prevention of ill-intentioned software; second, into the detection and mitigation of operating system vulnerabilities; and third, into the detection and mitigation of vulnerabilities in applications. In this thesis, I take a different approach. I explore and study attack vectors that are specific to smartphones; that is, attack vectors that do not exist on other computing platforms because they are the result of these phones’ intrinsic characteristics. One such characteristic is the sheer number of sensors and peripherals, such as an accelerometer, a gyroscope and a built-in camera. Their number keeps increasing with new usage scenarios, e.g. for health or navigation. So I show how to abuse the camera and microphone to infer a smartphone’s motion during user input. I then correlate motion characteristics to the keyboard digits touched by a user so as to infer PINs. This can work even if the input is protected through a Trusted Execution Environment (TEE), the industry’s preferred answer to the trusted path problem. Another characteristic is their form factor, such as their small touch screen. New input methods have been devised to make user input easier, such as “gesture typing”. So I study a new side channel that exploits hardware and software interrupt counters to infer what users type using this widely adopted input method. Another inherent trait is that users carry smartphones everywhere. This increases the risk of theft or loss. In fact, in 2013 alone, 3.1M devices were stolen in the USA1, and 120, 000 in London2. So I study the effectiveness of anti-theft software for the Android platform, and demonstrate a wide variety of vulnerabilities. Yet another characteristic of the smartphone ecosystem if the pace at which new devices are released: users tend to replace their phone about every 2 years, compared to 4.5 years for their personal computers. For already 60% of users today3, the purchase of a new smartphone is partly funded by selling the previous one. This can have privacy implications if the previous owner’s personal data is not properly erased. So I study the effectiveness of the built-in sanitisation features in Android smartphones, lifting the curtains on their problems and their root causes. 1http://www.consumerreports.org/cro/news/2014/04/smart-phone-thefts-rose-to-3-1- million-last-year/index.htm 2http://www.london.gov.uk/media/mayor-press-releases/2013/07/mayor-challenges- phone-manufacturers-to-help-tackle-smartphone 3https://www.gartner.com/newsroom/id/2986617 3 This thesis demonstrates that smartphone platforms have, by their nature, enabled new and specific avenues of attack. I hope these findings provide new insights for all stakeholders involved in the development of smart platforms. 4 Acknowledgements I thank my supervisor, Ross Anderson, for never losing faith in me. He has given me invaluable insights, advice, and support. My research was supported by Samsung. I thank my wife, Ann, who has been instrumental in keeping me positive in times of self-doubt; and my parents for supporting me throughout my education. I thank all the members of the Mobile Reading Group for fostering valuable discussions, and my first-year viva examiners Alastair Beresford and Robert Watson for the suggestions they gave. I thank all my fellow students at the lab who have helped me, including Rubin Xu, Wei-Ming Khoo, Dongting Yu, Kumar Sharad, Ilias Marinos, Marios Omar Choudary, Sheharbano Khattak, Khaled Baqer, Christian O’Connell, Stephan Kollmann, Simon Baker, Yiannos Stathopoulos, Wenduan Xu, Sandro Bauer, David Llewellyn-Jones, Alice Hutchings, Graeme Jenkinson, Bjoern A. Zeeb, Jeunese Payne, David Modic, and Sophie Van Der Zee. 5 6 Contents 1 Introduction 11 1.1 ChapterOutline................................. 11 1.2 Publications................................... 12 2 Background 15 2.1 MobilePlatforms ................................ 15 2.1.1 Windows................................. 18 2.1.2 iOS.................................... 18 2.1.3 Android ................................. 19 2.2 SecurityEnabler ................................ 21 2.3 PlatformVulnerabilities . ... 22 2.3.1 SmartphoneOSVulnerabilities . 22 2.3.2 OEM-IntroducedVulnerabilities . ... 25 2.3.3 Carrier-levelVulnerabilities . .... 27 2.4 AppVulnerabilities ............................... 29 2.5 Malware..................................... 30 2.5.1 MalwareCategories. 30 2.5.2 MalwareDistributionChannels . 31 2.5.3 MitigationSolutions . 32 2.6 SideChannels.................................. 33 2.7 Forensics..................................... 34 2.7.1 DataAcquisition ............................ 35 2.7.2 DataReconstruction . 36 2.7.3 SecureDeletion ............................. 36 2.8 ThisDissertation ................................ 37 CONTENTS CONTENTS 3 Inferring PINs Through The Camera and Microphone 39 3.1 Introduction................................... 39 3.2 AttackPrinciples ................................ 41 3.2.1 AttackFlow............................... 43 3.2.2 Stealthiness ............................... 44 3.3 ImplementationDetails. .. 46 3.3.1 CollectingMode............................. 46 3.3.2 FeatureExtraction . 46 3.3.3 LearningMode ............................. 48 3.3.4 LoggingMode.............................. 48 3.4 Evaluation.................................... 51 3.4.1 Setup .................................. 51 3.4.2 Single-DigitPrediction . 51 3.4.3 PINPredictions............................. 54 3.5 Limitations ................................... 58 3.6 PossibleCountermeasures . .. 59 3.6.1 Non-TEEdevices ............................ 59 3.6.2 TEE-enableddevices . 60 3.6.3 OtherConsiderations. 60 3.7 ToPatchorNottoPatch ........................... 61 3.8 Summary .................................... 62 4 Interrupt-based Side Channel on Android 63 4.1 Introduction................................... 64 4.2 BackgroundandThreatModel. 65 4.2.1 Android Soft-keyboards & Gesture Typing . .. 65 4.2.2 Android&procfs ............................ 66 4.2.3 AttackOverview ............................ 67 4.3 Evaluation.................................... 76 4.3.1 Methodology .............................. 76 4.3.2 WordPrediction ............................ 78 8 CONTENTS CONTENTS 4.3.3 DetectionofSentencesofInterest . ... 78 4.3.4 De-AnonymizationofUsers . 81 4.4 Countermeasures ................................ 85 4.5 ToPatchorNottoPatch ........................... 89 4.6 Discussion.................................... 90 4.7 Summary .................................... 92 5 Security Analysis of Android Factory Resets 95 5.1 Introduction................................... 95 5.2 TechnicalBackground ............................. 98 5.2.1 Flash&FileSystems.......................... 98 5.2.2 SecureDeletionLevels . 99 5.2.3 LinuxKernelDeletionAPIs . 100 5.2.4 DataPartitions .............................100 5.3 AnalysisofAndroidFactoryReset . 101 5.3.1 Methodology .............................. 101 5.3.2 ResultsandDiscussion . .105 5.4 DataRecoveryinPractice . 110 5.4.1 GeneralResults .............................112 5.4.2 CaseStudy: HijackingGoogleAccounts . 112 5.4.3 PossibleAttackers. .112 5.5 AlternativeSanitisationMethods . 113 5.6 Recommendations................................115 5.7 EncryptionRequirements. 116 5.8 Summary ....................................117 6 Security Analysis of Android Anti-Theft Apps 119 6.1 Introduction...................................119 6.2 Background ...................................121 6.2.1 Bootloader,RecoveryandSafeModes. 121 6.2.2 Mobile Anti-Virus (MAV) Apps and Device Admin API . 122 6.3 Methodology ..................................124 9 CONTENTS CONTENTS 6.4 AccountAuthentication ............................125 6.5 AppConfiguration&UserInterface. 126 6.6 LockImplementationsandEffectiveness . .128 6.6.1 RemovalofMAVs&APIMisuse . 128 6.6.2 RateLimiting..............................132 6.6.3 MAVResponse .............................133 6.6.4 Network-levelAttacks . .133 6.6.5 VendorandCustomisedAndroidFailures . 134 6.6.6 Misc ...................................136 6.6.7 EncryptiontotheRescue . 137 6.7 WipeImplementations .............................137 6.7.1 GeneralResults .............................137 6.7.2 CaseStudiesofLookoutandAvast . 139 6.7.3 InherentProblemofRemoteWipe . 140 6.8 Discussion....................................140 6.9 Summary ....................................141 7 Conclusions 143 Bibliography 147 10 Chapter 1 Introduction 1.1 Chapter Outline Smartphones have become ubiquitous, with
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages167 Page
-
File Size-